Tech Talk (08/04) NAT, DHCP, Routers & Security

Sarasota PC Monitor

Tech Talk (08/04)

NAT, DHCP, Routers & Security

by Brian K. Lewis, Ph.D.*
Member of the Sarasota Personal Computer Users Group, Inc.

As I read the many security bulletins that pass through my e-mail boxes, it often looks as if everyone on the Internet is there to cause trouble. Yes, I know that's an exaggeration, but trouble does seem to be on the increase. Unfortunately, the holes in browser software and operating systems have made much of this problem possible. However, our "constant on" broadband Internet connections have helped increase our vulnerability to the viruses, parasites and hackers. I am certain that everyone reading this article uses a firewall, keeps their anti-virus software up to date and cleans out the parasite software every day. Right? It is still possible to improve the barrier between your computer and the invaders on the Internet. So, the title of this article refers to controls that can assist your software firewall in blocking outside access to our computers.

Whether or not you have a home network of two or more computers, putting a router between your computer and your broadband modem has some definite advantages. Even a single computer is safer with a router connection. One reason for this is NAT or Network Address Translation. Every computer connected to the Internet has an IP (Internet protocol) address. This is basically a locator system like a street address. It enables your computer to be found and identified on the Internet. These addresses take the form of xxx.xxx.xxx.xxx and are 32 bit numbers. The actual number of addresses available worldwide is between 3.2 and 3.3 billion. Even this is not enough so a modification is being designed. However, implementing it will affect the entire infrastructure of the Internet and take several years.

NAT allows the router to be the interface to the public network (Internet) and to hide the computer(s) on the local network. Generally, the router obtains an address from the ISP when the system is switched on. In a dynamic NAT setup, the local computers obtain their address from the router using a DHCP (Dynamic Host Configuration Protocol) request. These local addresses are invisible to computers on the public network. Only the router address is available outside the local network. To the local computers, the router will have a gateway address that is different from the Internet address as shown in the table:

Local Computer Address: 192.168.32.10

Gateway Address: 192.168.32.1

Internet Address: 62.240.76.250

When the local computer sends a data packet to a public network address (in other words, you tell your browser to connect to a web page), the router assigns a port number and its IP address to the packet. The router stores the internal IP address and port number of the local computer. The public network then sees only the router's IP address and assigned port number as the source information for the packet. When the router receives a return packet, it checks the port number assignment in the address translation table. This tells it which computer on the local network should receive the packet.

Using a router with dynamic NAT automatically creates a firewall between the public network and the local network. The router allows only connections that originate within the local network. This means that a computer on an external network cannot connect to your computer unless your computer initiated the contact. Note that you can bypass this control under certain conditions. For example, if one computer on the local network is setup as a Web server, its address can be entered in the router setup as a direct connect to the Internet accepting connection to any external site. It can also be set to accept connections only from specific addresses.

Many routers can also provide other security functions. Wireless networks have limited security provisions using the WAP or WEP protocols. These should always be turned on. Another provision in most routers allows recording the MAC address (Media Access Control) of computers that can connect to the network. The MAC address is the hardware address or ID of the network card in the local computers. By specifying the MAC addresses of your computers that can access the local network, you can prevent others with wireless connections from accessing your wireless network. Even though they may be able to see your network, they will not be able to log on because they don't have an authorized MAC address.

Another security provided by a router is dropping or not responding to an external network "ping" request. Hackers may use software that automatically sends a ping request to thousands of IP addresses. Any that respond are logged as possible targets. Most routers can be set to block or discard any pings received from the public network. This would increase the invisibility of your computer on the Internet.routers can be set to block or discard any pings received from the public network. This would increase the invisibility of your computer on the Internet.

Now you may be saying that some of this is just what your software firewall is doing. That is quite true. However, if you have both a router with a firewall and a software firewall you have really increased the level of security on your system by setting up two barriers to incoming data. And, you don't have to have more than one computer in your system to setup up this level of security. However, if you have more than one computer and want a broadband connection to the Internet, then you really do need a router.

From the standpoint of security of your network, a router is much more desirable than a hub or a switch. A hub is merely a pass-through device that sends the packet to every computer that it is connected to. It is then up to the computer to accept or reject the packet. A switch does allow specific routing of network packets. However, switching is also a function of a router. In general, routers for PCs also contain the switching elements that allow direction of packets to specific destinations. Routers also determine the path to the destination. In the case of the Internet, many routers may be involved between the origin and destination computers.

You will note that in all this discussion, it was indicated that any data packets sent from a computer on the local network would be sent on to their destination by the router. The router will then pass through any return data packets from the destination computer. This is an unfortunate characteristic of router firewalls and some software firewalls. It is possible for a computer to be infected when connected to a "respectable" Internet site. This can occur through "holes" in either the browser software or the operating system software. When this happens, a new application is loaded on the local computer that then tries to "call home". If you have no software firewall or one that doesn't check outgoing packets, you can have a real problem. This is the reason I recommend that every computer have a firewall such as ZoneAlarm, Sygate Personal Firewall or Tiny Personal Firewall. The Windows XP firewall does not protect against outgoing packets. The information I have seen on the next service pack (SP2) says that it also has no controls for this problem. If your firewall does check on the source of outgoing packets, you have a chance to block outgoing messages from programs you never heard of before . Then you can investigate and remove any spyware, parasite, etc. that has managed to load itself on your hard drive.

Anytime you have a broadband connection to the Internet, you must keep security uppermost in your mind. It is the thousands (millions?) of unprotected computers that are able to bring down Web servers by denial of service (DOS) attacks. Don't let your computer be one of them. :

*Dr. Lewis is a former university & medical school professor. He has been working with personal computers for more than thirty years. He can be reached via e-mail at bwsail@yahoo.com.

Return to Brian Lewis' Index

Return to Columnist's Index

Copyright 2004. This article is from the August 2004 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication. We would appreciate receiving a copy of the publication the reprint appears in, please send to above address, Attn: Editor. For further information about our group, email: admin@spcug.org/ Web: http://www.spcug.org/
The Sarasota Personal Computer Users Group, Inc. has 1,100+ members and was established in 1982. We are members of the Assoc. of PC User Groups (APCUG), the Florida Assoc. of PC Users Groups, Inc., and we are members of the America Online Ambassador Program.

See http://www.spcug.org for all reviews from the Sarasota PC Monitor, go to the Newsletter Section.